As security threats evolve, e-mail has been displaced by the Web as the primary delivery mechanism for malicious code. The old model of virus definition based antivirus software has been increasingly called into question. In 2007, Australia's Computer Emergency Response Team claimed that leading products missed 80% of new viruses. To compensate, companies like Trend Micro and Kaspersky are developing cloud based "reputation services" to evaluate URLs and code.

NSS president, and former VP of marketing at antivirus vendor ESET, Rick Moy explained in a phone interview: cybercriminals now typically use social engineering to trick users into downloading malware from web sites and run it voluntarily. Malware creators run "campaigns" on Twitter and other social media sites baiting users with anything from pornography to free iPads.

Even the most savvy of users can occasionally be tricked by social engineering - we posted our own list of tech savvy Twitter users who fell for phishing scam last year. For an explanation of how such savvy users get fooled, read Cory Doctorow's recent Lotus Magazine piece explaining why he fell for a phishing scam.

Trend Micro recently published an independent report claiming the IT industry is being lulled into a false sense of security by vendors. The report cites an NSS survey which found half of respondents thought their antivirus solutions would protect them from threats 100% of the time, and that another 10% of respondents thought their solutions would protect them 99% of the time.

Moy says there's also a perception in the enterprise that anti-malware products are essentially interchangeable, but that's turning out not be the case: NSS's testing found wild disparities between the efficacy of different products, and found that a company's previous track record is no indication of how well it will perform.